Internet.nl icon indicating copy to clipboard operation
Internet.nl copied to clipboard
verified publisher icon internetstandards

Optional DNS checks to add

Open bwbroersma opened this issue 1 year ago • 0 comments

  • #31
  • #34
  • #76
  • #145 (e.g. for MX, based on RFC 1912)
  • #158
  • #184
  • #188
  • #225
  • #265
  • #283
  • #310 / #469
  • #385 (MX CNAME is also not allowed by RFC 2181 § 10.3, and referenced in RFC 5321 § 5.1)
  • DNS violations, e.g. an IP address in MX could give a more clear error test report
  • #715
  • #716
  • #976
  • #978 (related #1370)
  • #1481 (info/report)
  • Show all nameservers involved, from tld to the lowest level, CNAME's included
  • Test all the nameservers for valid ROA (RPKI)
  • Run DNSSEC validation on all DNS queries, if one of the results is bogus (or there is some qname minimization issue #1358), show this in the DNSSEC results
  • Report about DNS amplification risks. Do ANY (and fallback TXT) on the apex with UDP and check the amplification. Inform about removing validation tokens and blocking ANY (and responding with RFC 8482)
  • Connectivity / up
    • Check all nameservers, also on IPv4
    • Currently any DNS response from IPv6 is okay (e.g. you could copy paste the root server or another authoritative nameserver AAAA and pass the test).
  • Consistency
    • Nameserver NS consistency between parent and child (and correct glue)
    • Same responses on all nameservers (matrix of IPv4, IPv6, TCP, UDP)
    • SOA consistency between nameservers
  • Could also report about a proper DNS setup / KinDNS aspects / IANA Technical requirements for authoritative name servers (best practices, test done for tld-nameservers) and Technical requirements for the registration and use of .nl domain names
    • both UDP and TCP support #1892
    • query responses > 512 octets: then EDNS0 (RFC 2671) must be supported
    • "on separate (sub)networks" (does this imply a different IP prefix or AS?)
    • RFC 1034, 1035, 1123 and 2181
    • AS diversity
    • IP/prefix diversity (BGP diversity, another idea: 'upstream diversity')
    • TLD diversity (not relevant if the ns TLD == domain TLD, but it would project against these .nl-zone errors)
    • domain diversity (can be done via TLD diversity) (not relevant if the ns domain == domain)
    • software diversity (via chaos VERSION.BIND request, see RFC 4892)
    • detect anycast (e.g. with bgptools/anycast-prefixes)
  • Report about non-recommended TTLs (too short / long)
  • Report about accumulated risks and performance
    • if there are CNAME chains (propose CNAME flattening / ALIAS, also because of Null MX / SPF, sadly ANAME is not a thing)
    • a lot of delegation
    • if there are nameservers that are not self-defined (circular / glue-record) or not on the most top-level
    • maybe some note about SOA / one of the NSs having the same TLD (= less lookups)
    • report DNS query timing (total, per server)

bwbroersma avatar Feb 27 '24 13:02 bwbroersma